Password Policy Enforcement - Hitachi ID Password Manager

When users select a new password with Hitachi ID Password Manager -- either using its
web portal or by changing their password natively on a system that has
been configured to trigger transparent synchronization, Password Manager
applies a site-defined set of password quality rules. Users are
not allowed to select passwords that violate this policy.

The policy engine supports over 50 types of rules, including an
unlimited-length history, word and permutation checks against various
dictionaries and checks against the user ID and its permutations.
Regular expression matching is also supported so that Hitachi ID Systems customer
can define its own rules if they are not supported in Password Manager.

When using the Password Manager web portal, password policy rules are
displayed to the user on the screen where users are prompted to select
a new password. Rule violations, if any, are detailed on the subsequent
screen.

With transparent synchronization, password policy rules are not generally
displayed, so as to leave the native password change mechanism
untouched. Password policy violations are communicated to the user
with various mechanisms, including win-popup messages, e-mail and
display to the user's terminal session on Unix and z/OS systems.

A Global Policy

Password Manager is normally configured to enforce a uniform password
policy across all systems, to ensure that any new password will be
acceptable to every integrated system. This provides the most clear
and understandable experience to users. Password Manager is configured such
that it will never accept or attempt to propagate a password that will
not meet this global password policy.

For instance, in the case of an organization that has both Windows
Active Directory (AD) and z/OS passwords, where users may enter
very long passwords on AD but only 8 characters on the (older) mainframe,
Password Manager can require that passwords be exactly 8 characters long.
Alternately, Password Manager can support longer passwords, but truncate them
when it updates the mainframe. (Users generally prefer the preset
length rule, as it is easier to understand than automatic truncation).

Representational constraints limit what can be physically stored
in a password field on a given system. Usually there are just
two such rules: maximum length and allowable character set.

A global password policy is normally created by combining and
strengthening the best-of-breed complexity requirements from each
system affected by the policy. Password Manager then combines these with the
most restrictive representational constraints. This forces users
to select strong, secure passwords on every system.

The alternative, of defining different password policies for
every target system or for groups of target systems, is considered to be
user-unfriendly. To update their passwords, users must select a
system, choose a password, wait for the password update to complete,
possibly re-authenticate, choose another system, choose a different
password, etc. Users must then remember multiple passwords and will
continue to experience many password problems. It has been shown that
users with many passwords have a strong tendency to write down their
passwords.

Support for Incompatible Policies

Normally, it is desirable to have a single, global password policy.
This makes the user experience much simpler and encourages high
user adoption.

In some cases, it is impossible to formulate a single, consistent
password policy that works across two different systems. Typically this
happens when one system requires strong security and complex passwords,
while another system simply cannot support complex passwords.

Examples of weak systems include legacy applications that use very
short passwords or numeric PINs, voice mail passwords, etc.

Systems with a moderate password complexity capability typically
include mainframes and database servers.

Systems with a strong password complexity capability typically include
Active Directory, LDAP directories and modern implementations of Unix.

If some systems have mutually exclusive password complexity
capabilities, they can be grouped into mutually-compatible sets,
and each set of systems is configured in its own Password Manager target group.
Note that multiple Password Manager target groups can co-exist on a single
Password Manager instance and do not require separate maintenance. Configuration
is just a few minutes.

Each Password Manager target group can support its own set of
password policies, as well as policies regarding transparent
password synchronization.

When users choose to change their passwords, they must first
select a target group in the Password Manager user interface. Subsequently,
appropriate policy information is displayed and enforced.

Clearly, it is preferable to formulate a single password policy
for all systems whenever possible, to eliminate the password complexity
which Password Manager is designed to address in the first place.

List of Rules

Following is the complete list of password strength rules that can be
enforced by Password Manager:

Password strength rules

Rule name

Type

Description

%
Minimum length

Req/Warn

The smallest number of characters that a legal password can contain.

Maximum length

Req/Warn

The largest number of characters that a legal password can contain.

Require mixed case?

Req/Warn

Enable if passwords should contain both uppercase and lowercase
characters.

Maximum no. of lower-case letters

Req/Warn

The largest number of lower-case letters that a legal password
can contain.

Maximum no. of upper-case letters

Req/Warn

The largest number of upper-case letters that a legal password
can contain.

Minimum no. of punctuation marks

Req/Warn

The smallest number of punctuation marks that a legal password
can contain.

Maximum no. of punctuation marks

Req/Warn

The largest number of punctuation marks that a legal password can
contain.

Minimum no. of inside punctuation marks

Req/Warn

Same as minimum punctuation marks, but not counting the first or
last character of the password.

Minimum no. of letters

Req/Warn

The smallest number of letters that a password can contain.

Start with a letter?

Req/Warn

Enable to require all passwords to start with a letter. Useful for
compatibility with some systems.

Minimum no. of digits

Req/Warn

The smallest number of digits that a legal password can contain.

Minimum no. of digits inside

Req/Warn

Same as minimum digits, but not counting the first or last character
of the password.

No words from the (provided) dictionary

Req/Warn

The password, stripped
of non-letter characters, may not match a word (consisting of
four or more letters) from the dictionary. This is case-insensitive.

No exact word match from the dictionary.

Req/Warn

A password may not exactly match a dictionary word consisting of
four or more letters. This is case-insensitive.

No words from dictionary contained within password

Req/Warn

A password, stripped of non-letter characters, may not contain
a dictionary word. This is case-insensitive.

No rearranged words from this dictionary

Req/Warn

A password, stripped of non-letter characters, may not be a dictionary
word with the letters rearranged. This is case-insensitive.

Not the user name?

Req/Warn

The user's name may not be used as the new password.

Not the user name backwards?

Req/Warn

Same as above, but with the letters in the name reversed.

Does not contain the user name?

Req/Warn

The user's name may not form part of the new password.

Does not contain the user name backwards?

Req/Warn

Same as above but with the letters in the name reversed.

Not a rearranged user name?

Req/Warn

Same as above but with the letters in the name rearranged in any way.

Does not match the first N characters of the user name?

Req/Warn

The new password may not contain the specified number of characters
that begin the user name

Offer the user N random passwords

Req/Warn

Display N randomly-selected passwords, as suggestions or (if required)
the user must choose one of them.

Maximum number of character pairs

Req/Warn

The maximum number of pairs of the same character appearing
consecutively in new, legal password values.

Require password to be approved by this plug-in

On/Off

An external program is called, to verify that a password is
acceptable.

Warn if the password was not approved by this plug-in

On/Off

An external program is called, to verify that a password is desirable
or not.

Mainframe compatible (8 chars; alpha/num or @$#)

Req/Warn

Intended for mainframe compatibility.

Password rules apply to the first N characters of the password

On/Off

Apply all other rules to a truncated version of the password typed
by the user.

Record old passwords - never reuse them (password history)

Req/Warn

New passwords may not be the same as passwords that appear in a
history file.

Store new password hash in history on successful change/reset

Req/Warn

Enforce password history by storing hashes of old passwords.
Users will not be able to reuse old passwords.